IBM DB2 Audit Events

About the IBM DB2 for LUW Audit Events

This appendix maps audit event names used in IBM DB2 for LUW to their equivalent values in the command_class and target_type fields in the Oracle AVDF audit record. The audit events are organized in useful categories, for example, Account Management events. You can use the audit events mapped here to create custom audit reports using other Oracle Database reporting products or third-party tools. See also "Oracle Audit Vault and Database Firewall Database Schemas" for Oracle AVDF data warehouse details that may be useful in designing your own reports.

Account Management Events

Account management events track SQL commands that affect user accounts, such as the UNLOCK ADMIN ACCOUNT command. Table G-1 lists the IBM DB2 account management events and the equivalent Oracle AVDF events.

Table G-1 IBM DB2 Account Management Audit Events

Source Event	Event Description	command_class	target_type
`ADD_DEFAULT_ROLE`	Add Default Role	CREATE	`NULL`
`ADD_USER`	Add User	`CREATE`	Any from List 3
`ALTER_USER_ADD_ROLE`	Alter User Add Role	`ALTER`	`NULL`
`ALTER_USER_ADD_ROLE`	Alter User Add Role	`ALTER`	Any from List 3
`ALTER_USER_AUTHENTICATION`	Alter User Authentication	`ALTER`	Any from List 3
`ALTER_USER_DROP_ROLE`	Alter User Drop Role	`ALTER`	Any from List 3
`AUTHENTICATION`	Authentication	`VALIDATE`	NULL
`DROP_DEFAULT_ROLE`	Drop Default Role	DROP	NULL
`DROP_USER`	Drop User	`DROP`	Any from List 3
`SET_SESSION_USER`	Set Session User	`SET`	Any from List 3

Application Management Events

Application management events track actions that were performed on the underlying SQL commands of system services and applications, such as the CREATE RULE command.

Table G-2 lists the IBM DB2 application management events and the equivalent Oracle AVDF events.

Table G-2 IBM DB2 Application Management Audit Events

Source Event Event Description command_class target_type

ALTER_OBJECT

Alter Object

ALTER

Any from List 2

CREATE_OBJECT

Create Object

CREATE

Any from List 2

DROP_OBJECT

Drop Object

DROP

Any from List 2

Audit Command Events

Audit command events track the use of auditing SQL commands on other SQL commands and on database objects. Table G-3 lists the IBM DB2 audit command events and the equivalent Oracle AVDF events.

Table G-3 IBM DB2 Audit Command Audit Events

Source Event	Event Description	command_class	target_type
`ALTER_AUDIT_POLICY`	Alter Audit Policy	`AUDIT`	`POLICY`
`ARCHIVE`	Archive	`ARCHIVE`	`NULL`
`AUDIT_REMOVE`	Audit Remove	`NOAUDIT`	`NULL`
`AUDIT_REPLACE`	Audit Replace	`AUDIT`	`NULL`
`AUDIT_USING`	Audit Using	`AUDIT`	`NULL`
`CONFIGURE`	Configure	AUDIT	NULL
`CREATE_AUDIT_POLICY`	Create Audit Policy	`AUDIT`	POLICY
`DROP_AUDIT_POLICY`	Drop Audit Policy	NOAUDIT	POLICY
`PRUNE`	Prune	`GRANT`	NULL
`START`	Start	`AUDIT`	`NULL`
`STOP`	Stop	`NOAUDIT`	`NULL`

Data Access Events

Data access events track audited SQL commands, such as all SELECT TABLE, INSERT TABLE, or UPDATE TABLE commands. The Data Access Report, described in "Data Access Report", uses these events.

Table G-4 lists the IBM DB2 data access events and the equivalent Oracle AVDF events.

Table G-4 IBM DB2 Data Access Audit Events

Source Event	Event Description	command_class	target_type
`EXECUTE`	Execute	`INSERT` `UPDATE`	`NULL`
`GET_DB_CFG`	Get DB Cfg	GET	NULL
`GET_DFLT_CFG`	Get Dflt Cfg	GET	NULL
`GET_GROUPS`	Get Groups	GET	NULL
`GET_TABLESPACE_STATISTIC`	Get Tablespace Statistic	`GET`	NULL
`GET_USERID`	Get Userid	GET	NULL
`READ_ASYNC_LOG_RECORD`	Read Async Log Record	`READ`	NULL
`STATEMENT`	Statement	`SELECT`	`NULL`
`STATEMENT`	Statement	`UPDATE`	`NULL`
`STATEMENT`	Statement	`INSERT`	`NULL`
`STATEMENT`	Statement	`DELETE`	`NULL`

Exception Events

Exception events track audited error and exception activity, such as network errors. These events do not have any event names.

Invalid Record Events

Invalid record events track audited activity that Oracle AVDF cannot recognize, possibly due to a corrupted audit record.

Object Management Events

Object management events track audited actions performed on database objects, such as CREATE TABLE commands. Table G-5 lists the IBM DB2 object management events and the equivalent Oracle AVDF events.

Table G-5 IBM DB2 Object Management Audit Events

Source Event	Event Description	command_class	target_type
`ALTER_OBJECT`	Alter Object	`ALTER` `ALTER` `ALTER` `ALTER` `ALTER` `ALTER`	Any from List 2
`CREATE_OBJECT`	Create Object	`CREATE` `CREATE` `CREATE` `CREATE` `CREATE` `CREATE`	Any from List 2
`DROP_OBJECT`	Drop Object	`DROP` `DROP` `DROP` `DROP` `DROP` `DROP`	Any from List 2
`RENAME_OBJECT`	Rename Object	`RENAME`	Any from List 2

Peer Association Events

Peer association events track database link commands. These events do not have any event names; they only contain event attributes.

Role and Privilege Management Events

Role and privilege management events track audited role and privilege management activity, such as granting a user permissions to alter an object. Table G-6 lists the IBM DB2 role and privilege management events and the equivalent Oracle AVDF events.

Table G-6 IBM DB2 Role and Privilege Management Audit Events

Source Event	Event Description	command_class	target_type
`ADD_DEFAULT_ROLE`	Add Default Role	CREATE	NULL
`ALTER_DEFAULT_ROLE`	Alter Default Role	ALTER	NULL
`ALTER_OBJECT`	Alter Object	`ALTER`	Any from List 2
`ALTER SECURITY POLICY`	Alter security policy	ALTER	NULL
`CHECKING_FUNCTION`	Checking Function	`VALIDATE`	Any from List 1
`CHECKING_MEMBERSHIP_IN_ROLES`	Checking Membership In Roles	VALIDATE	NULL
`CHECKING_OBJECT`	Checking Object	`VALIDATE`	Any from List 1
`CHECKING_TRANSFER`	Checking Transfer	VALIDATE	NULL
`CREATE_OBJECT`	Create Object	`CREATE`	Any from List 2
`DROP_DEFAULT_ROLE`	Drop Default Role	DROP	NULL
`DROP_OBJECT`	Drop Object	`DROP`	Any from List 2
`GRANT`	Grant	`GRANT`	Any from List 3
`GRANT_DB_AUTH`	Grant DB Auth	GRANT	NULL
`GRANT_DB_AUTHORITIES`	Grant DB Authorities	`GRANT`	`NULL`
`GRANT_DBADM`	Grant DBADM	`GRANT`	`NULL`
`IMPLICIT_GRANT`	Implicit Grant	`GRANT`	Any from List 3
`IMPLICIT_REVOKE`	Implicit Revoke	`REVOKE`	Any from List 3
`REVOKE`	Revoke	`REVOKE`	Any from List 3
`REVOKE_DB_AUTH`	Revoke DB Auth	REVOKE	NULL
`REVOKE_DB_AUTHORITIES`	Revoke DB Authorities	`SYSTEM`	`NULL`
`REVOKE_DBADM`	Revoke DBADM	`REVOKE`	`NULL`

Service and Application Utilization Events

Service and application utilization events track audited application access activity, such as the execution of SQL commands.

Table G-7 lists the IBM DB2 service and application utilization events and the equivalent Oracle AVDF events.

Table G-7 IBM DB2 Service and Application Utilization Audit Events

Source Event	Event Description	command_class	target_type
`EXECUTE`	Execute	`EXECUTE`	`NULL`
`EXECUTE_IMMEDIATE`	Execute Immediate	`EXECUTE`	`NULL`
`TRANSFER`	Transfer	`GRANT`	NULL

System Management Events

System management events track audited system management activity, such as the CREATE DATABASE and DISK INIT commands. Table G-8 lists the IBM DB2 system management events and the equivalent Oracle AVDF events.

Table G-8 IBM DB2 System Management Audit Events

Source Event	Event Description	command_class	target_type
`ACTIVATE_DB`	Activate DB	`ALTER`	`NULL`
`ADD_NODE`	Add Node	`CREATE`	`NULL`
`ALTER_BUFFERPOOL`	Alter Bufferpool	`ALTER`	`NULL`
`ALTER_DATABASE`	Alter Database	`ALTER`	`NULL`
`ALTER_NODEGROUP`	Alter Nodegroup	`ALTER`	`NULL`
`ALTER_OBJECT`	Alter Object	`ALTER`	Any from List 2
`ALTER_TABLESPACE`	Alter Tablespace	`ALTER`	`TABLESPACE`
`BACKUP_DB`	Backup DB	`BACKUP`	`DATABASE`
`BIND`	Bind	`ALTER`	`NULL`
`CATALOG_DB`	Catalog DB	SET	NULL
`CHANGE_DB_COMMENT`	Change DB Comment	`UPDATE`	NULL
`CATALOG_DCS_DB`	Catalog Dcs DB	SET	NULL
`CATALOG_NODE`	Catalog Node	`SET`	NULL
`CHECK_GROUP_MEMBERSHIP`	Check Group Membership	`VALIDATE`	NULL
`CLOSE_CONTAINER_QUERY`	Close Container Query	`CLOSE`	`NULL`
`CLOSE_CURSOR`	Close Cursor	`CLOSE`	`CURSOR`
`CLOSE_HISTORY_FILE`	Close History File	`ALTER`	`NULL`
`CLOSE_TABLESPACE_QUERY`	Close Tablespace Query	`CLOSE`	`NULL`
`CONFIGURE`	Configure	`AUDIT`	`NULL`
`CREATE_BUFFERPOOL`	Create Bufferpool	`CREATE`	`NULL`
`CREATE_DATABASE`	Create Database	`CREATE`	`DATABASE`
`CREATE_DB_AT_NODE`	Create DB at Node	`CREATE`	`NULL`
`CREATE_EVENT_MONITOR`	Create Event Monitor	`CREATE`	`NULL`
`CREATE_INSTANCE`	Create Instance	`CREATE`	`NULL`
`CREATE_NODEGROUP`	Create Nodegroup	`CREATE`	`NULL`
`CREATE_OBJECT`	Create Object	`CREATE`	Any from List 2
`CREATE_TABLESPACE`	Create Tablespace	`CREATE`	`TABLESPACE`
`DB2AUDIT`	DB2 Audit	`ALTER`	`NULL`
`DB2REMOT`	DB2 Remote	`REMOTE CALL`	`NULL`
`DB2SET`	DB2 Set	`ALTER`	`NULL`
`DB2TRC`	Db2trc	DROP	NULL
`DBM_CFG_OPERATION`	DBM Cfg Operation	`CONFIGURE`	`NULL`
`DEACTIVATE_DB`	Deactivate DB	`ALTER`	`NULL`
`DESCRIBE`	Describe	`DESCRIBE`	`NULL`
`DESCRIBE_DATABASE`	Describe Database	`DESCRIBE`	`NULL`
`DELETE_INSTANCE`	Delete Instance	`DELETE`	`NULL`
`DISCOVER`	Discover	`GET`	`NULL`
`DROP_BUFFERPOOL`	Drop Bufferpool	`DROP`	`NULL`
`DROP_DATABASE`	Drop Database	`DROP`	`DATABASE`
`DROP_EVENT_MONITOR`	Drop Event Monitor	`DROP`	`NULL`
`DROP_NODE_VERIFY`	Drop Node Verify	DROP	NULL
`DROP_NODEGROUP`	Drop Nodegroup	`DROP`	`NULL`
`DROP_OBJECT`	Drop Object	`DROP`	Any from List 2
`DROP_TABLESPACE`	Drop Tablespace	`DROP`	`NULL`
`ENABLE_MULTIPAGE`	Enable Multipage	`ENABLE`	`NULL`
`EXTERNAL_CANCEL`	External Cancel	`STOP`	`NULL`
`ESTIMATE_SNAPSHOT_SIZE`	Estimate Snapshot Size	`CALCULATE`	`NULL`
`EXTRACT`	Extract	`GET`	`NULL`
`FETCH_CONTAINER_QUERY`	Fetch Container Query	`RETRIEVE`	`NULL`
`FETCH_CURSOR`	Fetch Cursor	`RETRIEVE`	`CURSOR`
`FETCH_HISTORY_FILE`	Fetch History File	`RETRIEVE`	`NULL`
`FETCH_TABLESPACE`	Fetch Tablespace	RETRIEVE	NULL
`FETCH_TABLESPACE_QUERY`	Fetch Tablespace Query	`RETRIEVE`	`NULL`
`FLUSH`	Flush	`FLUSH`	`NULL`
`FORCE_APPLICATION`	Force Application	`FORCE`	`NULL`
`GET_SNAPSHOT`	Get Snapshot	`GET`	`NULL`
`GET_USERMAPPING_FROM_PLUGIN`	Get Usermapping From Plugin	GET	NULL
`IMPLICIT_REBIND`	Implicit Rebind	`BIND`	`NULL`
`KILLDBM`	Kill DBM	`ALTER`	`NULL`
`LIST_DRDA_INDOUBT_TRANSACTIONS`	List Drda Indoubt Transactions	LIST	NULL
`LIST_LOGS`	List Logs	`LIST`	`NULL`
`LOAD_MSG_FILE`	Load Msg File	`LOAD`	`NULL`
`LOAD_TABLE`	Load Table	`INSERT`	`NULL`
`MERGE_DBM_CONFIG_FILE`	Merge DBM Config File	`UPDATE`	NULL
`MIGRATE_DB`	Migrate DB	`MIGRATE`	`NULL`
`MIGRATE_DB_DIR`	Migrate DB DIR	`MIGRATE`	`NULL`
`MIGRATE_SYSTEM_DIRECTORY`	Migrate System Directory	`MIGRATE`	`NULL`
`OPEN_CONTAINER_QUERY`	Open Container Query	`OPEN`	`NULL`
`OPEN_CURSOR`	Open Cursor	`OPEN`	`CURSOR`
`OPEN_HISTORY_FILE`	Open History File	`OPEN`	`NULL`
`OPEN_TABLESPACE_QUERY`	Open Tablespace Query	`OPEN`	`NULL`
`PREPARE`	Prepare	`ASSIGN`	`NULL`
`PRUNE_RECOVERY_HISTORY`	Prune Recovery History	`PRUNE`	`NULL`
`QUIESCE_TABLESPACE`	Quiesce Tablespace	`ALTER`	`NULL`
`REBIND`	Rebind	`ALTER`	`NULL`
`REDISTRIBUTE`	Redistribute	`SEND`	`NULL`
`REDISTRIBUTE_NODEGROUP`	Redistribute Nodegroup	SEND	NULL
`RELEASE SAVEPOINT`	Release savepoint	`RELEASE`	`NULL`
`RENAME_TABLESPACE`	Rename Tablespace	`RENAME`	`NULL`
`RESET_ADMIN_CFG`	Reset Admin Cfg	`RESET`	`NULL`
`RESET_DB_CFG`	Reset DB Cfg	`RESET`	`NULL`
`RESET_DBM_CFG`	Reset DBM Cfg	`RESET`	`NULL`
`RESET_MONITOR`	Reset Monitor	`RESET`	`NULL`
`RESTORE_DB`	Restore DB	`RESTORE`	`DATABASE`
`ROLLFORWARD_DB`	Rollforward DB	`ROLLFORWARD`	`DATABASE`
`RUNSTATS`	Run Stats	`EXECUTE`	`NULL`
`SAVEPOINT`	Savepoint	`SAVEPOINT`	`NULL`
`SET_APPL_PRIORITY`	Set Appl Priority	`SET`	`NULL`
`SET_EVENT_MONITOR_STATE`	Set Event Monitor State	SET	NULL
`SET_MONITOR`	Set Monitor	`SET`	`NULL`
`SET_RUNTIME_DEGREE`	Set Runtime Degree	`SET`	`NULL`
`SET SAVEPOINT`	Set Savepoint	`SET`	`NULL`
`SET_TABLESPACE_CONTAINERS`	Set Tablespace Containers	`SET`	`NULL`
`SINGLE_TABLESPACE_QUERY`	Single Tablespace Query	`EXECUTE`	`NULL`
`START_DB2`	Start DB2	`STARTUP`	`DATABASE`
`STOP_DB2`	Stop DB2	`SHUTDOWN`	`DATABASE`
`UNCATALOG_DB`	Uncatalog DB	RESET	NULL
`UNLOAD_TABLE`	Unload Table	`DELETE`	`NULL`
`UNQUIESCE_TABLESPACE`	Unquiesce Tablespace	`ALTER`	`NULL`
`UPDATE_ADMIN_CFG`	Update Admin Cfg	`UPDATE`	`NULL`
`UPDATE_AUDIT`	Update Audit	`ALTER`	`NULL`
`UPDATE_CLI_CONFIGURATION`	Update CLI Configuration	UPDATE	NULL
`UPDATE_DB_CFG`	Update DB Cfg	`UPDATE`	`NULL`
`UPDATE_DB_VERSION`	Update DB Version	UPDATE	NULL
`UNCATALOG_DCS_DB`	Uncatalog Dcs DB	RESET	NULL
`UNCATALOG_NODE`	Uncatalog Node	RESET	NULL
`UPDATE_DBM_CFG`	Update DBM Cfg	`UPDATE`	Any from List 3
`UPDATE_RECOVERY_HISTORY`	Update Recovery History	`UPDATE`	`NULL`

Unknown or Uncategorized Events

Unknown or uncategorized events track audited activity that cannot be categorized. Table G-9 lists the IBM DB2 unknown or uncategorized event and equivalent Oracle AVDF event.

Table G-9 IBM DB2 Unknown or Uncategorized Audit Events

Source Event	Event Description	command_class	target_type
`ALTER_OBJECT`	Alter Object	`ALTER`	Any from List 2
`CREATE_OBJECT`	Create Object	`CREATE`	Any from List 2
`DROP_OBJECT`	Drop Object	`DROP`	Any from List 2

User Session Events

User session events track audited authentication events for users who log in to the database.

Table G-10 lists the IBM DB2 user session events and the equivalent Oracle AVDF events.

Table G-10 IBM DB2 User Session Audit Events

Source Event	Event Description	command_class	target_type
`ATTACH`	Attach	`CONNECT`	`NULL`
`AUTHENTICATE`	Authenticate	`AUTHENTICATE`	`NULL`
`COMMIT`	Commit	`COMMIT`	`NULL`
`CONNECT`	Connect	`LOGIN`	`NULL`
`CONNECT_RESET`	Connect Reset	`LOGOUT`	`NULL`
`CONNECT RESET`	Connect Reset	`LOGOUT`	`NULL`
`DETACH`	Detach	`DISCONNECT`	`NULL`
`GLOBAL COMMIT`	Global Commit	`COMMIT`	NULL
`GLOBAL ROLLBACK`	Global Rollback	`ROLLBACK`	NULL
`REQUEST_ROLLBACK`	Request Rollback	`REQUEST`	NULL
`ROLLBACK`	Rollback	`ROLLBACK`	`NULL`
`SET_SESSION_USER`	Set Session User	`SET`	NULL
`SWITCH_USER`	Switch User	`MOVE`	NULL
`SWITCH USER`	Switch User	`MOVE`	NULL

Target Type Values

Target Type values associated with certain audit events can be any from the following lists. See the Audit Event tables in the appendix for references.

List 1

Possible Target Types
`SYNONYM`
`ALL`
`POLICY`
`BUFFERPOOL`
`DATABASE`
`EVENT MONITOR`
`FUNCTION`
`FUNCTION MAPPING`
`VARIABLE`
`HISTOGRAM TEMPLATE`
`INDEX`
`INSTANCE`
`METHOD`
`MODULE`
`NODEGROUP`
`NONE`
`PROFILE`
`PACKAGE`
`PACKAGE CACHE`
`REOPT VALUES`
`ROLE`
`SCHEMA`
`SEQUENCE`
`SERVER`
`SERVER OPTION`
`SERVICE CLASS`
`PROCEDURE`
`TABLE`
`TABLESPACE`
`THRESHOLD`
`CONTEXT`
`TYPE MAPPING`
`TYPE&TRANSFORM`
`USER MAPPING`
`VIEW`
`WORK ACTION SET`
`WORK CLASS SET`
`WORKLOAD`
`WRAPPER`
`XSR OBJECT`

List 2

Possible Target Types
`SYNONYM`
`POLICY`
`BUFFERPOOL`
`CONSTRAINT`
`TYPE`
`EVENT MONITOR`
`FOREIGN_KEY`
`FUNCTION`
`FUNCTION MAPPING`
`GLOBAL_VARIABLE`
`HISTOGRAM TEMPLATE`
`INDEX`
I`NDEX EXTENSION`
`JAVA`
`METHOD`
`MODULE`
`NODEGROUP`
`NONE`
`PACKAGE`
`PRIMARY_KEY`
`ROLE`
`SCHEMA`
`LABEL`
`SECURITY LABEL COMPONENT`
`POLICY`
`SEQUENCE`
`SERVER`
`SERVER OPTION`
`SERVICE CLASS`
`PROCEDURE`
`TABLE`
`TABLESPACE`
`THRESHOLD`
`TRIGGER`
`CONTEXT`
`TYPE MAPPING`
`TYPE&TRANSFORM`
`CONSTRAINT`
`USER MAPPING`
`VIEW`
`WORK ACTION SET`
`WORK CLASS SET`
`WORKLOAD`
`WRAPPER`

List 3

Possible Target Types
`RULE`
`DATABASE`
`FUNCTION`
`VARIABLE`
`INDEX`
`METHOD`
`MODULE`
`SYNONYM`
`NONE`
`PACKAGE`
`ROLE`
`SCHEMA`
`LABEL`
`POLICY`
`SERVER`
`PROCEDURE`
`TABLE`
`TABLESPACE`
`CONTEXT`
`VIEW`
`WORKLOAD`
`XSR OBJECT`

G IBM DB2 Audit Events

About the IBM DB2 for LUW Audit Events

Account Management Events

Application Management Events

Audit Command Events

Data Access Events

Exception Events

Invalid Record Events

Object Management Events

Peer Association Events

Role and Privilege Management Events

Service and Application Utilization Events

System Management Events

Unknown or Uncategorized Events

User Session Events

Target Type Values

List 1

List 2

List 3